This blog is all about Cyber Security and IT

Wednesday, October 5, 2022

What is an IDOR?


 

IDOR stands for Insecure Direct Object Reference and is a type of access control vulnerability.

This type of vulnerability can occur when a web server receives user-supplied input to retrieve objects (files, data, documents), too much trust has been placed on the input data, and it is not validated on the server-side to confirm the requested object belongs to the user requesting it.

 

Example:

Imagine you've just signed up for an online service, and you want to change your profile information. The link you click on goes to http://davindertutorials.com/profile?user_id=1105, and you can see your information.

Curiosity gets the better of you, and you try changing the user_id value to 1000 instead (http://davindertutorials.com/profile?user_id=1000), and to your surprise, you can now see another user's information. You've now discovered an IDOR vulnerability! Ideally, there should be a check on the website to confirm that the user information belongs to the user logged requesting it.

 

 

0 comments:

Post a Comment